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The present invention relates to a fault tol- 
erant computer controlled system as it can e.g.. be used 
for controlling a vehicle or other critical device. 

As computer systems gain increasing signifi- 
cance in many applications of human life, their reliabil- 
ity becomes more and more important because a failure may 
have dire consequences, including injury or casualties. 
Example of such computer systems are vehicle guidance or 
control systems, such as train guidance or aircraft con- 
trol systems, as well as medical systems. 

Typical "mean times between failure" of elec- 
tronic computers are in the order of 10 4 hours, which is 
unacceptably high for critical applications. Hence, it 
has been common practice to use several computers in a 
parallel, redundant operation in order to increase reli- 
ability. 

Conventional redundant systems generally use 
a plurality of computers, which act as data sources in a 
network. The network consists of a plurality of communi- 
cation links, each of which connects one computer with a 
data receiver, such as an actuator for a flap in an air- 
craft. The computers generate data items containing com- 
mands for the flap's operation. The flap receives all 
data items and combines them for generating an error tol- 
erant data item, e-. g.- by determining a- median-value - 

This type of system is unable to transmit 
data items upon failure of a communication link. To over- 
come this, it has been suggested to interconnect the com- 
puters using additional communication links. In case a 
communication link between a given computer and a data 
receiver is found to fail, the data items from the given 
computer are re-routed to other computers and an alterna- 
tive communication link. As systems of this type may con- 
tain a large number of computers and receivers and even a 
larger number of communication links, the required steps 
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for re-routing the data items upon failure of a communi- 
cation link may become fairly complex . Also, analysis and 
testing of the system for all possible failures and re- 
routing configurations becomes very complicated and ex- 
5 pensive if not impossible. 

The problem to be solved by the present in- 
vention is therefore to provide a method and system of 
the type mentioned above that is easier to implement, to 
analyze and to test while maintaining a low risk of fail- 
10 ure. 

This problem is solved by the method and sys- 
tem according to the independent claims. 

Hence, according to the invention, data is 
fed into the receiver communication links from the out- 

15 puts of a switching assembly. The switching assembly has 
several inputs, each of which is connected to a data 
source or to another output. The switching assembly is 
able to connect each data source to each data receiver 
over at least two different receiver communication links. 

20 The whole system is adapted to send every data item from 
any given data source to any given data receiver through 
every one of the at least two different receiver communi- 
cation .links such that the given data receiver receives 
the same data item through at least two receiver communi- 

25 cation links. 

In normal operation, each data receiver re- 

-eeives- every- data-item at least -twiee through -separate 

communication links. Even though this requires additional 
bandwidth, it has the advantage that no re-routing of 

30 data items is required if a fault in a communication link 
occurs,' i.e/ the flow of information does not' have* to be 
rearranged when a failure occurs, which makes the system 
more reliable and easier to analyze and to test. It is 
easy to predict what kind of failures the system is able 

35 to handle and there is no need to test all possible com- 
binations of potential failures. 



In a preferred embodiment, the switching as- 
sembly is divided into a plurality of switching units, 
wherein each switching unit is connected via at least two 
switch communication links to other switching units and 
wherein each data receiver is connected to at least two 
different switching units. Subdividing the switching as- 
sembly in this way provides improved performance if any 
one of the switching units should fail. In a preferred 
embodiment, exactly one switching unit is attributed to 
each data source and, preferably, one input of each 
switching unit is connected an output of its data source. 

In a further preferred embodiment, a synchro- 
nous transmission scheme is used where repetitive time 
windows are attributed to each data source. In each time 
window, the switching assembly connects all receiver com- 
munication links to the data source attributed to the 
time window. This again leads to an increase of required 
bandwidth, but it helps to keep the system simple. In ad- 
dition to this, it prevents a faulty data source from 
jamming a receiver communication link continuously be- 
cause each data source only has access to the communica- 
tion link during its data window. If the switching assem- 
bly is divided into switching units connected as men- 
tioned above, the same scheme can be used for preventing 
a jamming of the switch communication links. 

In another preferred embodiment, a unique key 
is attributed— to -each-data- source-. The data items, sent- -by 
each source are digitally signed by the corresponding 
key, and the signature is checked upon receipt of the 
data item in a data receiver. Using such a signature 
scheme provides a further possibility for detecting cor- 
rupted messages . 

The present invention is particularly suited 
for controlling the direction and/or velocity of vehi- 
cles. In a preferred application, it is used for control- 
ling an aircraft. 



Other preferred embodiments are described in 
the dependent claims. 

The invention will be better understood and 
objects other than those set forth above will become ap- 
5 parent when consideration is given to the following de- 
tailed description thereof. Such description makes refer- 
ence to the annexed drawings, wherein: 

Fig. 1 is a block diagram of a fault tolerant 
computer system according to the present invention, 
10 Fig. 2 shows a switching unit of one data 

source, 

Fig. 3 is a timing schedule for data communi- 
cation, 

Figs. 4A, 4B, 4C are tables of redundant data 
15 items received by a data receiver, 

Fig. 5 shows an aircraft controlled by a com- 
puter system according to the present invention, 

Fig. 6 is a simplified illustration of Fig. 1 

and 

2 0 Fig. 7 is an alternative embodiment of the 

invention . 

The system of Fig. 1 is operated by three re- 
dundant computers P0, PI and P2 , which process the sig- 
nals from three sensors SO, SI and S2 and two input de- 
25 vices V0, VI and control three actuators AO, Al and Al . 
One switching unit SUO, SUl, SU2 is attributed to each 

computer . — - - — •- - 

In a specific embodiment, the system shown 
here may control a vehicle, where the sensors SO, SI, and 
30 S2 e.g. measure the vehicle's position, attitude and/or 
velocity, the input devices V0' and "VI are controls oper- 
ated by the user, and AO, Al and A2 are actuators con- 
trolling the vehicle's drive and steering mechanism. 

For reliability reasons, there are at least 

3 5 two redundant sensors for measuring each parameter used 

by the computers P0 , PI, P2 , and the input devices LVO , 
LV1 are provided in duplicate. 
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The computers PO , PI and P2 generate commands 
for the actuators AO, Al, A2 as a function of the input 
provided by the sensors SO, SI and S2 and the input de- 
vices LVO, LV1 as well as of state variables stored in 
5 the computers. The computers PO, Pi and P2 work independ- 
ently. They are redundant, i.e. the commands generated by 
the computers are, in the absence of a system fault, ide- 
ally identical and therefore redundant. The commands are 
sent as data items to the actuators AO, A1,A2. The lat- 

10 ter combine the received redundant data items in order to 
determine an error corrected data item. This is described 
in more detail below. 

It must be noted that for most applications 
the corresponding number of components will be larger 

15 than shown in Fig. 1. However, the architecture of the 

present system can be scaled easily to meet the require-: 
ments of systems of any complexity. 

In the following, this architecture is de- 
scribed in more detail. In this description, each com-. 

20 puter PO, Pi, P2 (or, more accurately, its output con- 
nected to the switching unit) is regarded as a "data 
source" sending data items to be received by the actua- 
tors AO, Al, A2. Each actuator AO, Al, A2 is regarded as 
a "data receiver" receiving the data items. 

25 A plurality of communication links is pro- 

vided for connecting the individual parts of the system. 
— Input communication- -links IiSO ,- -LSI -LS2-, LVO, and -VL1 - : 
connect each sensor SO, SI, S2 and each input device V0, 
VI to each computer PO, Pi, P2 . Switch communication 

30 links LPiPj interconnect the individual switching units 
SUO, SU1, SU2 (where i and j are integers between 0 and 
the number of switching units minus one) . Receiver commu- 
nication links LPiAk connect each switching unit SUi to 
the data receivers Ak (where k is an integer between 0 

35 and the number of actuators minus 1) . Each data receiver 
Ak is connected to at least two receiver communication 
links LPiAk leading to different switching units SUi. 



6 



Each switch communication link LPiPj is a 
point to point connection and connects one output of a 
switching unit SUi to one input of another switching unit 
SUj . Similarly, each receiver communication link LPiAk is 
5 a point to point connection connecting one output of a 
switching unit Si to one actuator Ak. 

Preferably, the receiver communication links 
LPiAk are optical cables for reliable data transmission 
and safe galvanic protection of the remaining system be- 
10 cause in many applications the actuators will operate 

high power equipment. The other communication links may 
be ^optical fibers, electric wires or radio links or oth- 
ers . 

The architecture of the switching units SUO, 

15 SUI, SU2 is illustrated in Fig. 2. In the shown embodi- 
ment each switching unit SUi has three inputs 10 - 12 and 
five outputs 00 - 04. One switch (demultiplexer) SO - S4 
is provided for each output so that each output Oi can be 
selectively connected to any one of the inputs I j . 

20 Inputs 10 and 12 are each connected to a 

switch communication link LPjLPi, LPj'LPi receiving data 
items from two other switching units SUj and SUj ' . Input 
II is connected to the data .source attributed to the 
switching unit. 

25 Outputs 00 and 04 are each connected to a 

switch communication link LPiLP j , LPiLPj ' for sending 
data i-t ems to— two -other switching units SUj and SUj ' . 
Outputs Ol and 02 are connected to receiver communication 
links LPiAk and LPiAk' for sending data items to receiv- 

30 ers Ak and Ak' . Output 03 is connected to a data input of 
the computer attributed to the switching unit. 

A switch control table 10 is provided for 
setting the switches Si in accordance with signals from a 
clock unit 11. 

35 Each switching unit SUO, SUI, SU2 is provided 

with its own clock unit 11 and its own table 10 in order 
to be able to set the switches autonomously. The clock 



units 11 are kept synchronized. Various fault tolerant 
methods for keeping clocks synchronized are known to the 
person skilled in the art, some of which are described by 
Fred. B. Schneider in "Understanding Protocols for Byzan- 
tine Clock Synchronization", August 1987, Dept. of Com- 
puter Science, Cornell University. Preferably, the clock 
units 11 are synchronized by time stamps added by , the 
data sources to each or at least part of the data items, 
wherein each switching unit extracts the time stamp, of 
passing data items from different data sources and deter- 
mines a global time therefrom, e.g. by finding a median 
of the time stamps received at one time and by calculat- 
ing a deviation in respect to its own clock. 

For regulating communication in the system, a 
time window is attributed to each data source, wherein 
the windows are preferably of equal length and are ire- • 
peated at regular cycles as shown in Fig. 3. Data windows 
of unequal length may also be used, in particular if one 
of the data sources has a larger amount of data to trans- 
mit. In a given time window, the switching units SUi set 
the switches in such a way that all switch communication i 
links LPiPj as well as all receiver communication links 
LPiAk are connected to the data source the window is at- 
tributed to . 

As can be seen from Fig. 3 and as will be ex- 
plained further below, additional time windows may be 
provided- for -transmissions- from -the- actuators -Ai . 

The data sources are also being synchronized, 
e.g. through the clock units of their attributed data 
switches, and only send data items within their data win- 
dows, wherein a leading and trailing end of each data 
window remains unused in order to account for synchroni- 
zation mismatch and signal delays. 

The lengths of the windows in Fig. 3 primar- 
ily depends on the amount of data to be transported and 
the maximum allowable time delay for transmitting a mes- 
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sage. For most vehicle control systems, a window length 
in the order of 10 ms is found to be appropriate. 

Using a fixed timing scheme for globally at- 
tributing the communication links to a single data source 
5 at a time leads to an increase in bandwidth requirements. 
However, in many applications, presently available commu- 
nication links provide ample bandwidth for supporting 
this type of protocol. 

As it becomes clear from the above, each data 

10 source Pi sends all its data items to all data receivers 
Ak simultaneously, and each data receiver receives every 
data item through at least two different receiver commu- 
nication links LPjAk simultaneously. Hence, in normal op- 
eration, the data receiver receives each data item from 

15 each data source at least twice, and because all data 

sources are generating redundant data items, the data re- 
ceiver receives a group of six redundant versions of each 
data item through different paths of the network. 

This is illustrated for data receiver AO in 

20 Figs. 4A, 4B and 4C . The data receiver tries to receive 
all six data items of the group and can verify their 
physical integrity, e.g. by verifying a check sum or a 
digital signature as described below. In the absence of 
any error in transmission, each data item is flagged as 

25 "ok" as shown in Fig. 4A. In case of a failure of commu- 
nication link LP1P0, only five data items are valid, Fig. 

4B. Even irf-; in addition- to ~this— communi cation- link 

LP2A0 fails, two data items are still valid, Fig. 4C. 

From the valid received redundant data items, 

30 the data receiver generates an error corrected data item 
using known permutation-invariant techniques (median, ma- 
jority, ...). For example, if the data items specify a 
numerical parameter, the median value of the parameter 
given by the valid data items is determined. 

35 As mentioned above, the data items can com- 

prise a digital signature. In order to generate a digital 
signature (and, optionally, an encryption) , a unique key 
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is attributed to each data source PO, PI, P2 . Using this 
unique key, each data source creates a digital , signature 
as known to a person skilled in the art, i.e. a signature 
value that depends on the message to be transmitted in 
5 the data item as well as on the key, wherein the algo- 
rithm used for generating the signature is such that it 
is possible to verify with sufficient reliability if a 
given signature value was generated using a given key or 
not. For improved security, signature schemes based on 

10 asymmetric keys can be used. It must be noted, however, 
that the signature schemes that can be used in the con- 
text of the present invention may be simpler and less 
tamper-proof than those generally used in data communica- 
tion because they primarily have to protect against sys- 

15 tern failure but not against intentional tampering. 

When a data receiver receives a message from 
a given data source, it checks the validity of the data 
item by checking if the signature matches the key of the 
data source. If not, the data item is flagged to be inva- 

20 lid. 

An application of the present system is sche- 
matically illustrated in Fig. 5. The figure shows a VTOli 
aircraft 20 as it is e.g. disclosed in WO 01/30652 with a 
plurality tiltable drive units 21, each of which com- 

25 prises an electrically driven fan. The drive units 21 

provide attitude control, lift and forward thrust for the 
aixcraft. Each drive- unit -21 comprises- -a drive control 
unit for controlling its tilt angle and thrust. Each con- 
trol unit receives its settings from one of the data re- 

30 ceivers A j , Ai described above. In addition to this, at- 
titude sensors Sm, Sn and other types of sensors as well 
as the input devices V0 and VI are arranged in the air- 
craft for providing the computers Pi with input data., 

In order to discuss some of the many modifi- 

35 cations of the present invention, we now refer to Fig. 6, 
which shows the embodiment of Fig. 1 in schematic manner. 
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As can be seen from Fig. 6, one of the advan- 
tages of the described embodiment of the present inven- 
tion lies in the fact that each data receiver Ak receives 
data from all data sources Pi over redundant paths even 
5 though the number of receiver communication links LPiAk 
for a given receiver Ak is smaller (namely 2) than the 
number of data sources (namely 3). This is due to the 
fact that the switching units SUi allow each data source 
Pi to access both receiver communication links of a given 

10 data receiver. 

The minimum number of receiver communication 
links to each data receiver is 2 if alternative paths are 
to be provided for each data item. In order to increase 
reliability, more than two receiver communication links 

15 for each data receiver could be provided. 

In the embodiment of Fig. 6, each switching 
unit SUi is connected for sending and receiving data with 
two other switching units/ thereby providing alternative 
paths between switching units. For increased reliability, 

20 this number can be larger than two, but there may also be 
only one single switching communication link per switch- 
ing unit i 

In the embodiment of Fig. 6, one switching 
unit SUi is attributed to each computer Pi. Preferably, 

25 each computer and each switching unit are located physi- 
cally close to each other such that they may share some 

- mechanical or electrical components- However, itis-pre 

f erred that the switching unit is able to operate inde- 
pendently of its attributed computer, i.e. when the com- 

30 puter fails in its data processing, the switching unit 
should still continue to operate. 

A close physical placement of the computer 
and its associated switching unit is preferred but not 
required. The switching unit can be placed at an arbi- 

35 trary position. However, if the distance between a com- 
puter and its switching unit becomes large, the risk of 
failure of the communication links between them in- 
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creases. In that case it can be advisable to provide an 
additional redundant communication links between the com- 
puter and the switching units . 

Fig. 7 illustrates an embodiment with four 
5 computers Pi and only two switching units SUj . Here, each 
switching unit has four inputs and six outputs, and the 
individual switches S have four possible positions. 
Again, the switches are positioned according to the data, 
source the current window is attributed to such that the 
10 signals of this data source are sent to all receiver com- 
munication links and to the switching communication . 
links. 

It must be noted that in the above descrip- 
tion and the enclosed figures , only the most important 

15 ones of the communication links between the components 

are described and shown. In addition to this, the network 
may comprise further communication links, e.g. from the 
actuators back to the computers or to a separate monitor- 
ing unit. Similarly, the switching unit may. comprise, in 

20 addition to switches connected to the receiver communica- 
tion links and the switching communication links, addi- 
tional switches for feeding data to other types of re- 
ceivers, such as the switches S3 for feeding data items 
to the inputs of the computers. 

25 For example, if it is desired that the actua- . 

tors AO, Al, A2 are able to send feedback to the comput- 
ers P0, PI-7 P2-7 the- -communi eat ion— links between 1 , the 
switching units SUi and the actuators may be bidirec- 
tional. For example, a feedback link LAiPk may lead from 

30 each actuator to the two switching units it is connected 
to, such as it is shown in dashed lines for actuator Al . 
in Fig. 1. The number of inputs to the switches. SO - S4 
in each switching unit would correspondingly be : increased 
by two, such that they are able connect the feedback 

35 links LAiPk to the outputs of the switching units during 
time windows attributed to the actuators (see Fig. 3) . In 
other words, actuators AO, Al, A2 can also act as data 
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sources. However, in contrast to computers PO, Pi and P2 , 
they are generally not redundant data sources, but they 
can transmit the data over redundant paths to the se- 
lected receivers. 

The term w system" as used here is understood 
to designate an apparatus comprising data sources and 
data receivers as well as the network connecting them, 
but it is also used to designate a method for operating 
such an apparatus 
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1. An error tolerant computer controlled sys- 
tem comprising 

a plurality of redundant data sources (PO, 
PI, P2) generating at least partially redundant data 
items, 

a plurality of data receivers (AO, Al, A2) 
for receiving the redundant data items and combining them 
to an error tolerant data item, 

a switching assembly (SUO, SU1, SU2) with a 
plurality of inputs and outputs, wherein each input is 
connected to one data source (PO, PI, P2) or to one out- 
put and wherein each output is connected to one input or 
to one data receiver (AO, Al, A2) , and wherein each data 
receiver (AO, Al, A2 ) is connected via separate receiver 
communication links (LPiAk) to at least two outputs, 

wherein said switching assembly (SUO, SU1, 
SU2) is adapted to connect any of said data sources (PO, 
PI, P2) to each of said data receivers (AO, Al, A2) over 
at least two different receiver communication links 
(LPiAk) , and wherein said computer controlled system is 
adapted to send every data item from any given data 
source (PO, Pi, P2) to any given data receiver (AO, Al, 
A2) through every one of the at least two different re- 
ceiver communication links — (-LP-i-Ak) -s^ch-that^-the- given- 
data receiver receives the same data item through at- 
least two receiver communication links (LPiAk) . 

2 . The system of claim 1 wherein each re- 
ceiver communication link (LPiAk) connects exactly one 
output to exactly one receiver. 

3 . The system of any of the preceding claims 
wherein the number of receiver communication links 

(LPiAk) for each data receiver (AO, Al, A2) is smaller 
than the number of data sources (PO, PI, P2), and in par- 
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ticular wherein the number of receiver communication 
links (LPiAk) for each data receiver (AO, Al, A2) is 2. 

4 . The system of any of the preceding claims 
wherein the switching assembly (SUO, SU1, SU2 ) is divided 

5 into a plurality of switching units, wherein each input 
of each switching unit is either connected to one data 
source (PO, PI, P2) or via a switch communication link 
(LPiPj) to one output of another switching unit, wherein 
each switching unit is connected via at least two switch 

10 communication links (LPiPj) to other switching units, 

wherein each switch communication link (LPiPj) connects 
one output to one input, and wherein each data receiver 
(AO, Al, A2) is connected via the receiver communication 
links (LPiAk) to at least two different switching units 

15 (SUO, SU1, SU2), and in particular wherein, for each 

switching unit, each output can be connected to each in^ 
put . 

5. The system of claim 4 wherein exactly two 
switch communication links (LPiLPj) are attached to the 

20 inputs of each switching unit (SUi) and/or wherein ex- 
actly two switch communication links (LPiLPj ) are at- 
tached to the outputs of each switching unit (SUi). 

.6. The system of any of. the, claims 4 to. 5 
wherein the number of switching units (SUi) corresponds 

25 to the number of data sources (PO, Pi, P2) and wherein 

each switching unit is attributed to one data source (PO, 
PI, P2), and wherein one input of each switching unit -is - 
connected to its attributed data source (PO, PI, P2), and 
in particular wherein one output of the switching unit is 

30 connected to its attributed data source (PO, Pi, P2) . 

7 . The system of any of the preceding claims 
wherein repetitive time windows are attributed to each 
data source (PO, PI, P2) and wherein, in each time win- 
dow, the switching assembly (SUO, SUI, SU2) connects all 

35 receiver communication links (LPiAk) to the data source 
(PO, PI, P2) attributed to the time window while discon- 
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necting the remaining data sources (PO, PI, P2) from the 
receiver communication links (LPiAk) . 

8. The system of claim 7 and of any of the 
claims 4 to 6 wherein , in each time window, the switching 
5 assembly (SUO, SU1, SU2 ) connects all switch communica- 
tion links (LPiPj) to the data source (PO, PI, P2) at- 
tributed to the time window while disconnecting the re- 
maining data sources (PO, Pi, P2 ) from the switch commu- 
nication links (LPiPj). 

10 9 . The system of any of the claims 7 to 8 

wherein at least part of the data items carries a time 
stamp and wherein each switching unit (SUi) comprises a= 
clock (11) synchronized by the time stamps. 

10. The system of claim 9 wherein each 

15 switching unit (SUi) is adapted to combine a plurality of 
received data items carrying time stamps in order to de- 
termine a time base, in particular by determining a me- 
dian of the time stamps of data items from different data 
sources (PO, PI, P2) . 

20 11. The system of any of the preceding claims 

wherein a unique key is attributed to each data source 
(PO, Pi, P2) and each data source (PO, Pi, P2) is adapted 
to generate a digital signature for each data item it 
sends using its unique key, and wherein the data receiv- 

25 ers (AO, Al, A2 ) are adapted to check a validity of the 
signature upon receipt of a data item. 

12. The system of any "o"f the' preceding" claims" 
wherein said data receiver (AO, Al, A2) is adapted to 
check a validity of each of the received data items and 

3 0 to use only those data items of a group of redundant data 
items that are valid, and in particular wherein it deter- 
mines a median or majority value of the valid data items 
of the group of redundant data items. 

13 . The system of any of the preceding claims 
35 wherein said data receivers (AO, Al, A2) comprise actua- 
tors. 



16 



14. The system of any of the preceding claims 
further comprising feedback links (LAiPk) for transmit- 
ting data from said data receivers to said switching as- 
sembly. 

15. A vehicle comprising the system of any of 
the preceding claims, wherein said data receivers (AO, 
Al, A2) control a drive and steering mechanism of the ve- 
hicle. 

16. An aircraft comprising the system of any 
of the claims 1 to 14. 

17. The aircraft of claim 16 comprising at 
least one pivotal drive unit (21) for attitude control 
and for generating lift and forward thrust, and a drive 
control unit for controlling a tilt angle and a thrust of 
said drive unit; wherein said control unit is controlled 
by one of said data receivers (AO, Al, A2), and in par- 
ticular wherein said drive unit is driven by an electri- 
cal motor . ' ' 
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Abstract 

An error tolerant computer controlled system 
comprises several computers (PO, Pi, P2) working redun- 
dantly and controlling actuators (AO, Al, A2) based on 
signals from sensors (SO, SI, S2) and input devices (VO, 
VI) . Each data item emitted by each computer is simulta- 
neously sent through differing communication paths to 
each actuator, such that in normal operation each actua- 
tor receives each data item through several paths. This 
system continues to function properly even in case of a 
failure without requiring any re-routing of the data 
items, which makes it easier to design, analyze and test 
and thereby increases its reliability. 



(Fig. 1) 



